Feature Suggestion: Secret detection inside backups

[roggenk]

Linked to all security initiatives/efforts within VBR since versions 12.x, being able to detect secrets stored (in clear-text) inside backups would be a great addition. Secrets include clear-text passwords/credentials, API keys, private keys, etc are simple pattern searches.
Having these security findings reported and even forwarded to the SIEM make a great addition.

This capability would also be relevant for other solutions (eg M365 backup where secrets could be stored in SharePoint or OneDrive).

Hope this helps...
Kurt Roggen [BE]

[david.domask]

Hi Kurt,

This sounds like a perfect use-case for YARA scans. You can create rules using regex for the various secrets you have in mind and get alerted by Veeam when the scan triggers a detection, and you can automate it with SureBackup backup verification and content scan jobs across your workloads.

[roggenk]

Hi David,
Thank you for that suggestion. I get it and tried it. However, in practice this would be a extremely length process (scanning tons of files which are even not relevant for storing secrets (images, executables, dlls, etc). Even when using the Yara parameter to ignore/skip specific files sizes, that would result in tons of informational output on screen (which cannot be hidden) and would pollute the output which I'm assuming VBR would collect to show the end result.

[david.domask]

Hi Kurt,

Not quite sure what you mean with regards to the "tons of information" part -- YARA Scan results will show only the files where onion links are detected during the scan. Example from a quick test I just ran with a YARA rule for onion links:

Rule:

Code: Select all

rule OnionLinks
{
    meta:
        description = "Onion link"

    strings:
        $onion_link = /\S*?\.onion/ #this is simplified regex for a quick test

    condition:
        $onion_link
}

Result:

OnionLinks [] /run/media/Veeam.Mount.FS/6913ad7b-c696-468d-a000-89e842af0a33/rl-root/tmp/file1
Exit code: 0

The scan results will print just which rule is matched and which file it matched on, and you can create similar rules for whatever secrets you'd want and limit the rule accordingly to avoid things like image files.

[roggenk]

Hi again,
I'm looking for a way not to choke the scan jobs and making them more efficient by skipping irrelevant file types (executables, images).
To my knowledge YARA does not provide that capability, however allows to skip above specific file sizes.
However, when skipping those (large/irrelevant) files, lots of informational info is shown on screen (which can not be hidden) and will probably clutter the output and not clearly show the real findings.

That's why I'm hoping that VBR could take care of that internally/natively.

Greetings,
K

[Gostev]

What would be a regex to detect usernames and passwords? Unlike onion links detection, I'm not sure it's possible to design something that doesn't create a ton of false positives.

[david.domask]

For passwords probably not possible to get a perfect regex, but API keys and other secrets like S3 access / secret keys have a structured format (see the regex link above for examples), so that's possible to get accurately with very low chance of false positives.

Similarly, can imagine most people who would be (improperly) storing passwords in plain text probably would use some lead like "password:" or "pass" or common default usernames -- not perfect no, but would still probably get quite a few. For passwords will need to accept false positives, but other secrets can be parsed with YARA pretty accurately.

[david.domask]

However, when skipping those (large/irrelevant) files, lots of informational info is shown on screen (which can not be hidden) and will probably clutter the output and not clearly show the real findings.

Also, roggenk, I wanted to follow up on this as I'm not quite sure what you are discussing.

My suggestion from the first post was to use the Veeam-integrated YARA scans which can be run as part of on-demand Scan backup sessions or as part of other scheduled jobs like SureBackup, which will produce concise reports within Veeam.

It sounds like you're imagining running the yara scan directly on production, which is not what is being proposed here. If you can clarify your concern, would be appreciated, but it really sounds like the Veeam YARA scanning feature is exactly what you want, and that won't produce the cluttered output you're concerned about.